Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping….
#cobaltstrike
Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]
via Cobalt Strike Blog (author: William Burgess)
#cobaltstrike
Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]
via Cobalt Strike Blog (author: William Burgess)
🔥8👍5❤1
PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS & HTTP
https://github.com/YASHWANTgs/pcap-threat-hunting-trickbot
https://github.com/YASHWANTgs/pcap-threat-hunting-trickbot
GitHub
GitHub - YASHWANTgs/pcap-threat-hunting-trickbot: PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS…
PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS & HTTP - YASHWANTgs/pcap-threat-hunting-trickbot
🔥4
Go-based C2 teamserver inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops.
https://github.com/armin-hg/NewCobaltstrikeTeamServer
https://github.com/armin-hg/NewCobaltstrikeTeamServer
GitHub
GitHub - armin-hg/NewCobaltstrikeTeamServer: Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and…
Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops. 🐙 - armin-hg/NewCobaltstrikeTeamServer
👍3
Implementation of the concept of asynchronous Beacon Object Files. It provides a framework for running asynchronous monitoring tasks that can detect events and report back to the Cobalt Strike team server.
https://github.com/9Insomnie/async_bof
https://github.com/9Insomnie/async_bof
GitHub
GitHub - 9Insomnie/Async_BOFs: 异步Beacon Object Files概念的实现。它提供了一个框架,用于运行可以检测事件并报告回Cobalt Strike团队服务器的异步监控任务。
异步Beacon Object Files概念的实现。它提供了一个框架,用于运行可以检测事件并报告回Cobalt Strike团队服务器的异步监控任务。 - 9Insomnie/Async_BOFs
❤3
Robust Cobalt Strike shellcode loader with multiple advanced evasion features
https://github.com/Meowmycks/koneko
https://github.com/Meowmycks/koneko
GitHub
GitHub - Meowmycks/koneko: Robust Cobalt Strike shellcode loader with multiple advanced evasion features
Robust Cobalt Strike shellcode loader with multiple advanced evasion features - Meowmycks/koneko
❤8
Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover
After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abuse dMSAs to take over any object where we have a write primitive. This mention did not gather significant attention from the community, leaving an operational gap for dMSA related tooling and attention. This blog dives into why dMSA abuse is still a problem, the release of a new Beacon object file (BOF) labeled BadTakeover, plus additions to SharpSuccessor, all to show that BadSuccessor’s impact as a technique (not a vulnerability) will still hold a lasting effect.
https://github.com/logangoins/BadTakeover-BOF
https://specterops.io/blog/2025/10/20/the-near-return-of-the-king-account-takeover-using-the-badsuccessor-technique/
After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abuse dMSAs to take over any object where we have a write primitive. This mention did not gather significant attention from the community, leaving an operational gap for dMSA related tooling and attention. This blog dives into why dMSA abuse is still a problem, the release of a new Beacon object file (BOF) labeled BadTakeover, plus additions to SharpSuccessor, all to show that BadSuccessor’s impact as a technique (not a vulnerability) will still hold a lasting effect.
https://github.com/logangoins/BadTakeover-BOF
https://specterops.io/blog/2025/10/20/the-near-return-of-the-king-account-takeover-using-the-badsuccessor-technique/
GitHub
GitHub - logangoins/BadTakeover-BOF: Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover
Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover - logangoins/BadTakeover-BOF
❤6
Cobalt Strike Beacon Object File to enumerate Windows system drivers via WMI
https://github.com/0x73/CS-DriverQuery-BOF
https://github.com/0x73/CS-DriverQuery-BOF
GitHub
GitHub - 0x73/CS-DriverQuery-BOF: Cobalt Strike Beacon Object File to enumerate Windows system drivers via WMI
Cobalt Strike Beacon Object File to enumerate Windows system drivers via WMI - 0x73/CS-DriverQuery-BOF
🔥3👍1
CobaltStrike’s AI-native successor, ‘Villager,’ makes hacking too easy
https://www.csoonline.com/article/4057785/cobaltstrikes-ai-native-successor-villager-makes-hacking-too-easy.html
https://www.straiker.ai/blog/cyberspike-villager-cobalt-strike-ai-native-successor
https://www.csoonline.com/article/4057785/cobaltstrikes-ai-native-successor-villager-makes-hacking-too-easy.html
https://www.straiker.ai/blog/cyberspike-villager-cobalt-strike-ai-native-successor
CSO Online
CobaltStrike’s AI-native successor, ‘Villager,’ makes hacking too easy
The new AI-native framework, freely available online, could make advanced cyberattacks faster, easier, and more accessible than ever.
👍1
Cobalt Strike aggressor script to add context-menu option for clearing beacon queue
https://github.com/PN-Tester/AbortCommand
https://github.com/PN-Tester/AbortCommand
GitHub
GitHub - PN-Tester/AbortCommand: CobaltStrike aggressor script to add context-menu option for clearing beacon queues
CobaltStrike aggressor script to add context-menu option for clearing beacon queues - PN-Tester/AbortCommand
❤3
Execute PE files in-memory using Cobalt Strike's Beacon, eliminating child processes and consoles for stealthy operations and efficient output handling.
https://github.com/evelyn67a/BOF_RunPe
https://github.com/evelyn67a/BOF_RunPe
❤9
ColdWer
Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass.
https://github.com/0xsh3llf1r3/ColdWer
Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass.
https://github.com/0xsh3llf1r3/ColdWer
GitHub
GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass
Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass - 0xsh3llf1r3/ColdWer
❤3
Rustbof
https://github.com/joaoviictorti/rustbof
This project enables the development of BOFs using Rust with full no_stdsupport. It leverages Rust's safety features and modern tooling while producing small, efficient COFF objects.
The framework provides everything needed for BOF development. The build process compiles your code to a static library, which boflink then links into a COFF object with proper relocations and imports for Beacon's dynamic function resolution.
https://github.com/joaoviictorti/rustbof
This project enables the development of BOFs using Rust with full no_stdsupport. It leverages Rust's safety features and modern tooling while producing small, efficient COFF objects.
The framework provides everything needed for BOF development. The build process compiles your code to a static library, which boflink then links into a COFF object with proper relocations and imports for Beacon's dynamic function resolution.
GitHub
GitHub - joaoviictorti/rustbof: A Rust template for writing Beacon Object Files (BOFs)
A Rust template for writing Beacon Object Files (BOFs) - joaoviictorti/rustbof
❤2🤮1💩1
ICMP C2 Protocol for CS
https://ryanq47.github.io/posts/CobaltStrike_ICMP_Tunnel/
https://github.com/ryanq47/CS-EXTC2-ICMP
https://ryanq47.github.io/posts/CobaltStrike_ICMP_Tunnel/
https://github.com/ryanq47/CS-EXTC2-ICMP
GitHub
GitHub - ryanq47/CS-EXTC2-ICMP: An ICMP channel for Beacons, implemented using Cobalt Strike’s External C2 framework.
An ICMP channel for Beacons, implemented using Cobalt Strike’s External C2 framework. - ryanq47/CS-EXTC2-ICMP
The New Chapter of Egress Communication with Cobalt Strike User-Defined C2
https://whiteknightlabs.com/2026/01/06/the-new-chapter-of-egress-communication-with-cobalt-strike-user-defined-c2/
https://whiteknightlabs.com/2026/01/06/the-new-chapter-of-egress-communication-with-cobalt-strike-user-defined-c2/
White Knight Labs
The New Chapter of Egress Communication with Cobalt Strike User-Defined C2 | White Knight Labs
For years, External C2 has been regarded as one of the most effective ways to bypass EDR and XDR solutions thanks to its ability to support custom-built
Next-Generation BOF Template | BOF Linter | Obj Rewriter
for Win/Linux/MacOS BOFs
https://github.com/wwh1004/bof-template-ng
for Win/Linux/MacOS BOFs
https://github.com/wwh1004/bof-template-ng
GitHub
GitHub - wwh1004/bof-template-ng: Next-Generation BOF Template | BOF Linter | Obj Rewriter
Next-Generation BOF Template | BOF Linter | Obj Rewriter - wwh1004/bof-template-ng
Explore BOFs for Cobalt Strike and Havoc C2, focusing on Active Directory attacks and post-exploitation techniques to enhance your security research.
https://github.com/Wanssss1/BOFs
https://github.com/Wanssss1/BOFs
GitHub
GitHub - Wanssss1/BOFs: 🛠️ Explore BOFs for Cobalt Strike and Havoc C2, focusing on Active Directory attacks and post-exploitation…
🛠️ Explore BOFs for Cobalt Strike and Havoc C2, focusing on Active Directory attacks and post-exploitation techniques to enhance your security research. - Wanssss1/BOFs
❤2👎1